Lucene search
+L
Fit2cloud1panel

21 matches found

CVE
CVE
added 2023/08/10 5:42 p.m.2604 views

CVE-2023-39965

CVE-2023-39965 affects the 1Panel backend (version 1.4.3) where authenticated users can download arbitrary files through the API interface, causing information leakage. The root cause is unauthorized file access via the API (not requiring high privileges). The issue is addressed in version 1.5.0,...

6.5CVSS5.4AI score0.00382EPSS
CVE
CVE
added 2023/07/05 8:57 p.m.2597 views

CVE-2023-36458

1Panel is an open source Linux server operation and maintenance panel. Affected versions are

8.8CVSS7.5AI score0.02313EPSS
CVE
CVE
added 2023/07/05 8:57 p.m.2581 views

CVE-2023-36457

1Panel (open-source Linux server operation/maintenance panel) prior to v1.3.6 is affected by a command injection vulnerability when adding container repositories. An authenticated attacker can craft a malicious payload (as demonstrated by the reported payloads in advisories) to trigger code execu...

8.8CVSS7.5AI score0.02313EPSS
CVE
CVE
added 2023/08/10 5:39 p.m.2540 views

CVE-2023-39964

Summary: CVE-2023-39964 affects 1Panel O&M panel. In version 1.4.3, the function LoadFromFile in api/v1/file.go reads a server file directly from the unfiltered path parameter, enabling arbitrary file reads of important configuration files. The issue is a background file read vulnerability exploi...

7.5CVSS7.3AI score0.0082EPSS
In wild
CVE
CVE
added 2023/08/10 5:46 p.m.2521 views

CVE-2023-39966

1Panel CVE-2023-39966 affects v1.4.3; the api/v1/file.go SaveContentthat function accepts user POST JSON without proper parameter filtering, enabling arbitrary file writes and potential full server control. 1.5.0 patches this issue. Related advisories cite an arbitrary file write vulnerability wi...

9.8CVSS8.6AI score0.00698EPSS
Web
CVE
CVE
added 2024/02/05 3:7 p.m.150 views

CVE-2024-24768

What is affected : 1Panel, a Linux server operation and maintenance management panel. Vulnerability : The HTTPS session cookie used by 1Panel does not have the Secure attribute, which may allow the cookie to be exposed over non-HTTPS connections. Root cause / details in sources : Cookie missing S...

7.5CVSS7.3AI score0.00304EPSS
CVE
CVE
added 2024/03/10 1:31 a.m.132 views

CVE-2024-2352

1Panel up to 1.10.1-lts is affected by CVE-2024-2352 via command injection in the function baseApi.UpdateDeviceSwap (file /api/v1/toolbox/device/update/swap). The issue arises from untrusted input in the Path argument (example: 123123123\nopen -a Calculator), which can be exploited remotely. Publ...

9.8CVSS6.8AI score0.03044EPSS
Web
CVE
CVE
added 2024/03/06 6:23 p.m.109 views

CVE-2024-27288

1Panel open source Linux server panel vulnerable before version 1.10.1-lts . If a user intercepts a request with Burp to the secure entry point, they can obtain unauthorized access to the console page (no data returned or modifications in some reports). The issue is fixed in v1.10.1-lts; affected...

6.3CVSS6.1AI score0.00471EPSS
CVE
CVE
added 2024/05/09 2:38 p.m.87 views

CVE-2024-34352

CVE-2024-34352 affects the 1Panel project (open source Linux server O&M panel). Prior to v1.10.3-lts, command injection vulnerabilities allow arbitrary file writes and can lead to remote code execution. The root cause involves inadequate input filtering and an exploit path using the mirror config...

7.5CVSS6.8AI score0.01329EPSS
CVE
CVE
added 2023/07/18 6:25 p.m.76 views

CVE-2023-37477

1Panel exposes an OS command injection in its firewall IP endpoint (/hosts/firewall/ip). The vulnerability allows an authenticated attacker to craft input that leads to arbitrary command execution, potentially full system compromise. The issue stems from lack of input validation in the firewall f...

8.8CVSS8AI score0.05354EPSS
Web
CVE
CVE
added 2024/07/18 3:31 p.m.73 views

CVE-2024-39907

1Panel is affected by an authenticated SQL injection vulnerability in its web-based Linux server management panel. The connected Nuclei template and related advisories describe multiple SQL injections that are not properly filtered, enabling arbitrary file writes and remote code execution (RCE). ...

9.8CVSS9.7AI score0.29396EPSS
CVE
CVE
added 2024/04/18 2:56 p.m.68 views

CVE-2024-30257

CVE-2024-30257 affects 1Panel, an open-source Linux server operations and maintenance panel. The vulnerability arises from password verification using a != comparison instead of the secure hmac.Equal , creating a timing side-channel that could facilitate password guessing. Multiple sources corrob...

5.9CVSS4.5AI score0.0038EPSS
CVE
CVE
added 2025/08/01 11:4 p.m.62 views

CVE-2025-54424

1Panel (Go to Mode C): The CVE-2025-54424 vulnerability affects 1Panel versions 2.0.5 and earlier, where TLS certificate verification between Core and Agent endpoints is incomplete, allowing an attacker to bypass client cert validation and access high-privilege interfaces. This leads to remote co...

9.8CVSS8.1AI score0.00901EPSS
CVE
CVE
added 2024/07/18 3:35 p.m.59 views

CVE-2024-39911

CVE-2024-39911 affects 1Panel, a web-based Linux server management control panel. The issue is an unspecified SQL injection via User-Agent handling that can impact confidentiality, integrity, and availability. Red Hat and other sources corroborate the same description and note the fix in version ...

10CVSS9.7AI score0.04566EPSS
CVE
CVE
added 2025/09/10 12:0 a.m.38 views

CVE-2025-56413

CVE-2025-56413 affects 1panel v2.0.8, where the OS command injection occurs in the OperateSSH function. An attacker can trigger arbitrary commands via the operation parameter of the /api/v2/hosts/ssh/operate endpoint. This aligns with the reported CVSS: NETWORK vector, HIGH impact (C, I, A). Publ...

8.8CVSS7.5AI score0.0123EPSS
Web
CVE
CVE
added 2025/12/09 1:25 a.m.33 views

CVE-2025-66507

CVE-2025-66507 (1Panel) : 1Panel is affected; versions 2.0.13 and earlier expose a CAPTCHA bypass via a client-controlled parameter that the server trusted without validation. This allows an unauthenticated attacker to bypass CAPTCHA verification, enabling automated login attempts and increasing ...

7.5CVSS6.5AI score0.00405EPSS
CVE
CVE
added 2026/01/18 10:10 p.m.28 views

CVE-2026-23525

CVE-2026-23525 affects 1Panel, a web-based Linux server management panel. The stored XSS vulnerability originates from insufficient sanitization in the MdEditor component (previewOnly) used to render App Store and related content, allowing malicious scripts to run in the user’s browser and potent...

8.4CVSS5.6AI score0.00306EPSS
CVE
CVE
added 2025/12/10 4:7 p.m.27 views

CVE-2025-34410

1Panel versions 1.10.33–2.0.15 have a CSRF in Change Username under /settings/panel. The endpoint lacks anti-CSRF tokens and Origin/Referer checks, enabling an attacker to submit a username-change request via a malicious page while the victim is authenticated. The victim’s username can be changed...

7.1CVSS6.4AI score0.00133EPSS
Web
CVE
CVE
added 2025/12/10 6:23 p.m.26 views

CVE-2025-34429

1Panel CSRF in web port configuration affects versions 1.10.33–2.0.15. The port-change endpoint lacks anti-CSRF defenses (no anti-CSRF tokens; no Origin/Referer checks). An attacker can lure an authenticated user to submit a crafted request, causing the web service to listen on a new port and pot...

7.1CVSS6.6AI score0.0015EPSS
CVE
CVE
added 2025/12/09 1:37 a.m.22 views

CVE-2025-66508

1Panel (GitHub/Governance: 1Panel) contains a vulnerability where Gin’s default proxy trust config (TrustedProxies = 0.0.0.0/0) causes X-Forwarded-For headers to be trusted, letting attackers bypass IP-based access controls (AllowIPs, API whitelists, localhost checks) by sending X-Forwarded-For: ...

6.5CVSS6.4AI score0.00204EPSS
CVE
CVE
added 2025/12/10 6:23 p.m.20 views

CVE-2025-34430

CVE-2025-34430 concerns a CSRF in 1Panel (versions 1.10.33 through 2.0.15) affecting the panel name management functionality. The affected endpoint reportedly lacks CSRF defenses such as anti-CSRF tokens and Origin/Referer validation. An attacker can lure an authenticated user to a malicious page...

5.1CVSS6.6AI score0.00179EPSS